APIs Detailed CloudWatch Metrics

Risk level: Medium (should be achieved)

Rule ID: AG-002

Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.

This rule can help you with the following compliance standards:

MAS
NIST 800-53 (Rev. 4)

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Operational
excellence

Performance
efficiency

The main benefit of enabling AWS CloudWatch metrics for API stages is getting more granular metric data which can help you to act fast and take immediate actions based on information delivered by these metrics through alarms. For example, if you developed a critical API and you need to be notified sooner when there is a sudden spike in 4xx or 5xx errors, you can set alarms that monitors and triggers on a per minute basis (instead of 5 minute period) using the data gathered by detailed CloudWatch metrics.

Audit

To determine if your API stages have AWS CloudWatch metrics enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name (link) to access the API configuration.

05 In the left navigation panel, under APIs, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to examine.

07 On the API Stage Editor panel, select Logs tab to access the stage configuration settings.

08 In the CloudWatch Settings section, verify Enable Detailed CloudWatch Metrics setting status. If Enable Detailed CloudWatch Metrics checkbox is unchecked, AWS CloudWatch detailed metrics are not enabled for the selected API stage.

09 Repeat steps no. 6 – 8 to check the AWS CloudWatch detailed metrics setting for other API stages created for the selected API.

10 Repeat steps no. 4 – 8 to verify other AWS API Gateway APIs available within the current region.

11 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  aabbccddee  |
|  ccddeeffgg  |
|  bbccddeeff  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine and custom query filters to get information about the stages created for the selected API:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id aabbccddee

04 The command output should return the API stages metadata:

{
    "item": [
        {
            "stageName": "Production",
            "cacheClusterSize": "0.5",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509565551,
            "createdDate": 1509557971,
            "methodSettings": {
                "*/*": {
                    "cacheTtlInSeconds": 300,
                    "loggingLevel": "OFF",
                    "dataTraceEnabled": false,
                    "metricsEnabled": false,
                    "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
                    "throttlingRateLimit": 10000.0,
                    "cacheDataEncrypted": false,
                    "cachingEnabled": false,
                    "throttlingBurstLimit": 5000,
                    "requireAuthorizationForCacheControl": true
                }
            }
        },
        {
            "stageName": "Staging",
            "cacheClusterSize": "0.5",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509565545,
            "createdDate": 1509558509,
            "methodSettings": {
                "*/*": {
                    "cacheTtlInSeconds": 300,
                    "loggingLevel": "OFF",
                    "dataTraceEnabled": false,
                    "metricsEnabled": false,
                    "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
                    "throttlingRateLimit": 10000.0,
                    "cacheDataEncrypted": false,
                    "cachingEnabled": false,
                    "throttlingBurstLimit": 5000,
                    "requireAuthorizationForCacheControl": true
                }
            }
        }
    ]
}

Each item object returned by the command output represents an API stage. Verify the metadata listed for each stage and if the metricsEnabled attribute (within methodSettings object) available for the specified API stage has the value set to false, detailed AWS CloudWatch metrics are not enabled for the selected API stage. Repeat the current step to check the CloudWatch metrics configuration for other API stages created for the selected API.

05 Repeat step no. 3 and 4 to verify other AWS API Gateway APIs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable detailed CloudWatch metrics for your Amazon API Gateway APIs stages, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open your APIs listing page.

04 Choose the API that you want to reconfigure (see Audit section part I to identify the right resource), then click on its name to access the API details and configuration.

05 In the left navigation panel, under APIs, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to reconfigure.

07 On the API Stage Editor panel, select Logs tab to access the stage settings.

08 In the CloudWatch Settings section, check Enable Detailed CloudWatch Metrics checkbox to enable the feature.

09 Click Save Changes to apply the configuration changes and enable detailed metrics for the selected stage. Once enabled, each API method will begin to generate the following metrics: API calls, Latency, Integration Latency, 4xx and 5xx errors.

10 Repeat steps no. 6 – 9 to turn on the feature for other API stages created for the selected API.

11 Repeat steps no. 4 – 10 to enable detailed CloudWatch metrics for other APIs available within the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the ID of the API and the name of the API stage that you want to reconfigure as identifiers to enable detailed CloudWatch metrics for the selected API stage. The following command example enables AWS CloudWatch detailed metrics for an API stage named "Production", created for an API identified by the ID "aabbccddee":

aws apigateway update-stage
	--region us-east-1
	--rest-api-id aabbccddee
	--stage-name 'Production' --patch-operations op=replace,path=/*/*/metrics/enabled,value=true

02 The command output should return the API stage metadata:

{
    "stageName": "Production",
    "cacheClusterSize": "0.5",
    "cacheClusterEnabled": false,
    "cacheClusterStatus": "NOT_AVAILABLE",
    "deploymentId": "z0haur",
    "lastUpdatedDate": 1509619221,
    "createdDate": 1509557971,
    "methodSettings": {
        "*/*": {
            "cacheTtlInSeconds": 300,
            "loggingLevel": "OFF",
            "dataTraceEnabled": false,
            "metricsEnabled": true,
            "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
            "throttlingRateLimit": -1.0,
            "cacheDataEncrypted": false,
            "cachingEnabled": false,
            "throttlingBurstLimit": -1,
            "requireAuthorizationForCacheControl": true
        }
    }
}

03 Repeat step no. 1 and 2 to activate the feature for other API stages created for the selected API.

04 Repeat steps no. 1 – 3 to enable detailed CloudWatch metrics for other APIs available within the current region.

05 Change the AWS region by updating the --region command parameter value and repeat the process for other regions.

References

AWS Documentation
Amazon API Gateway FAQs
Trace API Management and Invocation
Monitor API execution with Amazon CloudWatch

AWS Command Line Interface (CLI) Documentation
apigateway
get-rest-apis
get-stages
update-stage

Publication date Nov 2, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

APIs Detailed CloudWatch Metrics

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related APIGateway rules